This Data Processing Addendum (“DPA”) amends and supplements the Software as a Service Agreement (“Agreement”) entered into between Tango and Subscriber and is hereby incorporated by reference into the Agreement. By signing the Agreement, the parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their affiliates authorized to provide or receive (as applicable) the Services, and this DPA shall be effective on the Effective Date of the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. If there is any inconsistency or conflict between this DPA and the Agreement as it relates to data protection, this DPA will govern. Subscriber and Tango agree as follows:
1.1 “Auditing Party” means a party chosen by Subscriber to conduct an audit under this DPA.
1.2 “Data Protection Law” means any and all applicable international, national, provincial, federal, state and local laws and regulations, including as they may be enacted, amended or replaced from time to time, that relate to the terms of the Agreement, this Exhibit G, the provision of the Subscription Services or services rendered under a SOW, including but not limited to the General Data Protection regulation (“GDPR”) the California Consumer Privacy Act, and/or the Federal Data Protection Act of 19 June 1992 (Switzerland), as amended or re-enacted from time to time.
1.3 “Essential Information” means Subscriber Personal Data that is one of the types expressly set forth in Exhibit F of the Agreement that Subscriber, a User or a Named Customer provides to Tango in connection with the Agreement that is necessary for the operation, access and/or use of the Services by Subscriber.
1.4 “Non-Essential Information” means Personal Data provided by, or on behalf of, Subscriber, a User or a Named Customer to Tango that is not Essential Information.
1.5 “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
1.6 “EEA” means the European Economic Area.
1.7 “Process” or “Processing” means any operation or set of operations which is performed on Subscriber Personal Data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Subscriber Personal Data.
1.8 “Security Incident” means a breach of Tango’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber Personal Data transmitted, stored or otherwise Processed by Tango. “Security Incident” will not include unsuccessful attempts or activities that do not compromise the security of Subscriber Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.9 “Standard Contractual Clauses” means the standard contractual clauses, as agreed by the European Commission, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
1.10 “Subprocessors” means third parties authorized under this DPA to have access to and Process Subscriber Personal Data in order to provide parts of the Services and any related technical support.
1.11 “Subscriber Personal Data” means any Personal Data Processed by Tango on behalf of Subscriber or a Named Customer in Tango’s provision of Services.
The terms “Controller”, “Data Subject”, “Personal Data”, “Processor”, and “Supervisory Authority” as used in this DPA will have the meanings ascribed to them in the GDPR.
2. PROCESSING OF DATA.
2.1 Application of DPA. This DPA will only apply to Subscriber Personal Data that is: (a) Essential Information, and (b) Non-Essential Information that Tango expressly agrees to Process in an executed Statement of Work that meets the requirements of Section 4.4 of the Agreement.
2.2 Application of Data Protection Law. This DPA will only apply to the extent that the Data Protection Law applies to the Processing of Subscriber Personal Data, including if: (a) the Processing is in the context of the activities of an establishment of Subscriber in the EEA; and/or (b) Subscriber Personal Data is Personal Data relating to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
2.3 Purpose of Processing. The purpose of data Processing under the Agreement is the provision of the Services pursuant to the Agreement. Schedule 1 (Scope of Processing) describes the subject matter and details of the Processing of Subscriber Personal Data.
2.4 Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Tango is a Processor of Subscriber Personal Data under the Data Protection Law; (b) Subscriber is a Controller or Processor, as applicable, of Subscriber Personal Data under the Data Protection Law; and (c) each party will comply with the obligations applicable to it under the Data Protection Law with respect to the Processing of Subscriber Personal Data.
2.5 Authorization by Third Party Controller. If Subscriber is a Processor, Subscriber warrants to Tango that Subscriber’s instructions and actions with respect to Subscriber Personal Data, including its appointment of Tango as another Processor, have been authorized by the relevant Controller.
2.6 Subscriber Instructions. Subscriber instructs Tango to Process Subscriber Personal Data: (a) in accordance with the Agreement and any applicable Order Form; (b) to provide the Services and any related technical support; (c) as further specified via Subscriber’s use of the Services (including in the settings and other functionality of the Services) and any related technical support; and (d) to comply with other reasonable instructions provided by Subscriber where such instructions are consistent with the terms of the Agreement and this DPA. Subscriber will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Law. Subscriber shall have sole responsibility for the accuracy, quality, and legality of Subscriber Personal Data and the means by which Subscriber obtained the Personal Data.
2.7 Tango’s Compliance with Subscriber Instructions. Tango shall only Process Subscriber Personal Data in accordance with Subscriber’s instructions. If Tango believes or becomes aware that any of Subscriber’s instructions conflict with any Data Protection Law, Tango shall timely inform Subscriber. Tango may Process Subscriber Personal Data other than on the instructions of Subscriber if it is required under applicable law to which Tango is subject. In this situation, Tango shall inform Subscriber of such requirement before Tango Processes the Subscriber Personal Data unless prohibited by applicable law.
2.8 Tango Responsibilities. Tango will: (a) ensure that its personnel engaged in the Processing of Subscriber Personal Data have committed themselves to confidentiality obligations; (b) implement appropriate technical and organizational measures to safeguard Subscriber Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; (c) taking into account the nature of the Processing and information available to Tango, take reasonable measures to assist Subscriber in ensuring compliance with Articles 32 to 36 of the GDPR; and (d) keep complete and accurate records of all Processing of Subscriber Personal Data by it under the Agreement.
2.9 No Non-Essential Information. Subscriber shall not provide to Tango, import into the Services, or cause Tango to Process any Non-Essential Information, unless otherwise expressly agreed to by Tango in an executed Statement of Work that meets the requirements of Section 4.4. of the Agreement. If Tango does not expressly agree to Process Non-Essential Information pursuant to the previous sentence, Tango has no obligations or liability with respect such data. If Subscriber inadvertently provides or causes Tango to Process any Non-Essential Information that is Subscriber Personal Data, Subscriber shall, at Subscriber’s sole cost: (a) immediately notify Tango in writing; (b) take all necessary steps to assist Tango in removing Non-Essential Information from Tango’s systems.
3. DATA SUBJECT RIGHTS
3.1 Tango shall, to the extent legally permitted, promptly notify Subscriber if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Subscriber Personal Data relating to such individual. Tango shall not respond to any such request without Subscriber’s prior written consent except to confirm that the request relates to Subscriber. 3.2 Tango shall provide Subscriber with commercially reasonable cooperation and assistance to the extent legally permitted, taking into account the nature of the Processing and the information available to Tango, in fulfilling Subscriber’s obligations to respond to Data Subject requests under Data Protection Law, to the extent Subscriber does not have access to such Subscriber Personal Data through its use or receipt of the Services.
4.1 General Authorization. Subscriber agrees that Tango may authorize third parties to Process the Subscriber Personal Data on its behalf in connection with fulfilling Tango’s obligations under the Agreement and/ or this DPA. Upon receipt of Subscriber’s written request, Tango shall provide Subscriber the list of Subprocessors that are currently authorized by Tango to access and Process Subscriber Personal Data.
4.2 New Subprocessors. If Tango engages a new Subprocessor, Tango will notify Subscriber by updating its list of Subprocessors located on its website, informing Subscriber of the change, and giving Subscriber the opportunity to object to such Subprocessor. If, within 30 days of receipt of that notice, Subscriber notifies Tango in writing of any objections (on reasonable grounds) to the proposed addition, the parties will work together to find a mutually agreeable solution. Tango will contractually impose data protection obligations on its Subprocessors that are at least equivalent to those data protection obligations imposed on Tango under this DPA.
4.3 Tango Liability. Tango will remain liable for the acts and omissions of its Subprocessors to the same extent Tango would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
5. DATA TRANSFERS
5.1 General Authorization. Subscriber agrees that Tango may, subject to Section 5.2 and 1.2, store and Process Subscriber Personal Data in the United States of America and any other country in which Tango or any of its Subprocessors maintains facilities.
5.2 Transfer Mechanisms. The Standard Contractual Clauses set forth in Schedule 2 to this DPA shall apply for transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Law of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Law. By executing this DPA, the parties shall be deemed to have executed and agreed to such Standard Contractual Clauses. For purposes of the Standard Contractual Clauses, (i) Subscriber, the party transferring from the EEA or Switzerland, will be referred to as the “Data Exporter” and (ii) Tango will be referred to as the “Data Importer.” Schedule 1 to this Agreement shall apply as Appendix 1 of the Controller to Processor Standard Clauses. Schedule 2 to this Agreement shall apply as Appendix 2 of the Standard Contractual Clauses.
6. SECURITY INCIDENT
6.1 Notification Obligations. In the event Tango becomes aware of any Security Incident that is likely to result in a risk to the rights and freedoms of natural persons, Tango will within twenty-four (24) hours of such Security Incident confirmation (and every twenty-four (24) hours thereafter, until Subscriber reasonably deems the Security Incident to be fully resolved): notify Subscriber of the Security Incident by Phone at: (203) 349-6695, and by Email at: firstname.lastname@example.org.
6.2 Intentionally Omitted.
6.3 No Admission. Tango’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Tango of any fault or liability with respect to the Security Incident.
7. TERM; DESTRUCTION OF COMPANY PERSONAL DATA
7.1 Term of DPA. This DPA will take effect on the Effective Date and will remain in full force and effect until, and automatically expire upon, deletion of all Subscriber Personal Data as described in this DPA.
7.2 Destruction of Subscriber Personal Data. Prior to the termination of the Agreement, upon Subscriber’s reasonable request to delete Subscriber Personal Data, Tango will facilitate such deletion, insofar as possible taking into account the nature and functionality of the Services and unless Data Protection Law requires storage. Upon termination of the Agreement and within thirty (30) business days from the termination of the Agreement (unless a longer period is agreed in writing by the parties), Tango will (a) cease all Processing of Subscriber Personal Data; and (b) destroy all Subscriber Personal Data, except to the extent that Tango is required under Data Protection Law to keep a copy of the Subscriber Personal Data. After such thirty (30) business day period, Tango has no obligation to retain any Subscriber Personal Data, unless required by Data Protection Law.
8.1 Right to Audit. At Subscriber’s sole cost, Tango will allow an Auditing Party to conduct audits no less than once per year. Tango may object to any Auditing Party on the basis of Tango’s reasonable, good faith opinion that the Auditing Party is not independent, is a competitor of Tango, or is otherwise unsuitable, in which case Subscriber will appoint another Auditing Party. After receipt by Tango of a request for an audit from Subscriber, Tango and Subscriber will discuss and agree in advance on the Auditing Party, a reasonable start date of no less than four (4) weeks from Tango’s receipt of the request for such audit, the scope and duration of, and the data protection controls applicable to, the audit. The audit must be conducted during regular business hours, subject to Tango’s policies, and may not unreasonably interfere with Tango’s business activities. Any audits are at Subscriber’s sole cost and expense. Tango may charge a fee based on Tango’s reasonable costs for the audit.
8.2 Security Program. For the purposes of demonstrating compliance with the Agreement, this Exhibit G, and any applicable SOW Tango will contractually obligate each of its subcontractors to make available to Subscriber at least annually upon request, copies of its currently valid certification for ISO 27001, compliance reports, Statements on Standards for Attestation Engagements 16 (“SSAE16”) Reports, and Service Organization Control Reports (“SOC”) Type 1 or 2, as applicable. Upon Subscriber’s request, Subscriber (and/or its third-party designee) shall be entitled to visit and audit any and all facilities, which are owned or controlled by Tango, where any Data and/or Personal Data is maintained or Processed. Tango, will promptly provide or arrange to provide Subscriber with access to all such premises, as well as to all personnel, data, records, systems, controls, processes, and procedures of Tango and its personnel relating to any Subscriber Data and/or Personal Data accessed or Processed pursuant to this Agreement or any SOW. Tango, its subcontractors, and its and their respective personnel shall promptly correct, or arrange for the correction of any non-compliance identified in any such audit at Tango’s expense. Without limiting any other obligation of Tango in relation to the Agreement and this Exhibit E, Tango and its and personnel shall maintain accurate, complete, and up-to-date records of storage of back-up tapes, mobile media containing Subscriber Data and/or Personal Data, including offsite storage arrangements, and media movements, which records shall be made available for auditing purposes.
8.3 Notification of Non-Compliance. Subscriber shall promptly notify Tango with information regarding any non-compliance discovered during the course of an audit. Tango will reasonably cooperate with Subscriber, at Subscriber’s expense, to assist Subscriber in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Tango.
8.4 Limits on Auditing Party. Nothing in the Agreement or this DPA will require Tango either to disclose to an Auditing Party or Subscriber, or to allow an Auditing Party or Subscriber to access: (i) any data of any other customer of Tango; (ii) Tango’s internal accounting or financial information; (iii) any trade secret of Tango; (iv) any premises or equipment not controlled by Tango; or (v) any information that, in Tango’s reasonable opinion, could: (A) compromise the security of Tango’s systems or premises; (B) cause Tango to breach its obligations under Data Protection Law or the rights of any third party, or (C) any information that an Auditing Party seeks to access for any reason other than the good faith fulfillment of Subscriber’s obligations under Data Protection Law. Subscriber shall contractually impose, and designate Tango as a 3rd party beneficiary of, contractual terms that prohibit any third party Auditing Party from disclosing the existence, nature, or results of any audit to any party other than Subscriber unless such disclosure is required by applicable law.
9. REMEDIES; PARTIES
9.1 Limitation of Liability. Tango’s liability for breach of its obligations in this DPA are subject to the limitations set forth in Section 14 of the Agreement.
9.2 No Liability for Non-Essential Information. Notwithstanding anything to the contrary in the Agreement or this DPA, Tango shall have no obligations with respect to any Non-Essential Information that Subscriber, a User or a Named Customer imports into the Services or otherwise provides to Tango or causes Tango to Process unless otherwise expressly agreed to by Tango in an executed Statement of Work that meets the requirements of Section 4.4 of the Agreement. Subscriber shall be fully responsible for implementing safeguards to ensure that it, its Users and its Named Customers do not provide to Tango or import any Non-Essential Information into the Services, whether intentionally or unintentionally. Without limiting Subscriber’s obligations under the Agreement, if Subscriber or a Named Customer breaches Section 2.9 of this DPA, then Subscriber shall: (a) promptly upon Tango’s request, reimburse Tango for all liabilities incurred by Tango and its owners, officers, employees, agents, successors and assigns (collectively, the “Tango Parties”) arising, in whole or in part, from Subscriber’s breach; and (b) indemnify, defend, and hold harmless the Tango Parties against any liabilities incurred by the Tango Parties in connection with any third party or first party claim arising out of or relating to Subscriber’s or a Named Customer’s breach, including liabilities Tango incurs in connection with any government investigation, fines and/or penalties arising out of such breach. Subscriber’s liability under this Section 9.2 is not subject to the limitations set forth in Section 14 of the Agreement.
9.3 Parties to this DPA. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
SCOPE OF PROCESSING
- Subject Matter of the Processing of Subscriber Personal Data Tango will Process Subscriber Personal Data of Data Subjects in order to perform the Services under the Agreement.
- Duration of the Processing of Subscriber Personal Data Tango will Process Subscriber Personal Data until the expiration or termination of the Agreement, unless prohibited by Data Protection Law.
- Nature and Purpose of the Processing of Subscriber Personal Data The nature and purpose of the Processing of Subscriber Personal Data will be to perform the Services under the Agreement.
- Types of Subscriber Personal Data
The types of Subscriber Personal Data Processed by Tango for the purposes of the Agreement include the following:
- Essential Information; and
- Non-Essential Information that Tango expressly agrees to Process in accordance with Section 4.4 of the Agreement.
- Categories of Data Subjects
The categories of Data Subjects about whom Tango will Process Subscriber Personal Data include:
- Subscriber’s Users
The implemented security measures shall include:
Please specify: Access to the Data Importer’s servers that support the Services are available only to members of Tango data team that is primarily responsible for data management tasks relevant to the project.
Please specify: Data is backed up regularly by the Data Importer.
Please specify: Only members of the Data Importer’s data management team who are assigned to Subscriber’s account will have access to data.
Please specify: All instances of the Services are hosted in the cloud and access is restricted and controlled via ‘key-based’ authentication.
Network and data security
Please specify: The Data Importer shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.